Installing and commissioning transceivers coupled to loads

ABSTRACT

The invention provides a lighting system comprising a lighting device, a remote database and a controller. The lighting device includes at least a transceiver (21, 31) coupled to a load (22, 32), said transceiver (21, 31) comprising at least one identification information and at least one security information wherein said security information is used for securing the communication with the transceiver (21, 31). The remote database storing the identification information and an associated identification information for each lighting device. The controller (1) comprises a first interface (11) for a first communication with the transceiver (21, 31), and a second interface (12) for a second communication with a database (4). The controller (1) is adapted to retrieve the identification information of the transceiver (21, 31) through the first interface, to retrieve the associated identification information from the remote database through the second interface, and to use the security information to secure the first communication.

FIELD OF THE INVENTION

The invention relates to a controller for managing a transceiver, whichtransceiver is configured to be coupled to a load, and which transceiveris configured to form part of a network. The invention further relatesto an installer device comprising such a controller, to a commissionerdevice comprising such a controller, to a transceiver configured to bemanaged by such a controller, to a load device comprising such atransceiver and further comprising the load, to a database for storingidentification information and security information and for exchangingthe identification information and the security information with thecontroller, and to a method for managing a transceiver. Such controllersform for example parts of installer devices and commissioner devices.Such installer devices and commissioner devices are for example smartphones with apps. Such transceivers are for example ZigBee™transceivers, WiFi transceivers and 6LoWPAN transceivers. Such loads arefor example street-lamps, environmental-sensors, ceiling-lamps,wall-switches and wall-dimmers.

BACKGROUND OF THE INVENTION

US 2014/0167623 A1 discloses commissioning for a lighting network,without discussing the security of the commissioning.

US2014/239816 discloses the use of a commissioning device that needs tostore a database with connection information for connecting thedifferent luminaire of the lighting network.

US2015/173154 discloses a lighting network of connected luminairewherein a portable commissioning device is used for indicating whichluminaire should be remotely control through an RF network.

US2014/265920 discloses a centralized lighting network using a portabledevice for installing a new lighting device in the lighting network.

US2014/277805 discloses a lighting network using RF communication forinterconnecting all the devices including luminaire, several switch andalso laptop or smartphone for commissioning the luminaires.

None of these documents provides a network that could be easily controlby a local device with sufficient security for preventing any device tocontrol a lighting network.

SUMMARY OF THE INVENTION

It is an object of the invention to provide an improved controller. Itis a further object of the invention to provide a lighting system with acommissioner device, to provide a commissioner device, to provide alighting device and to provide a corresponding improved method of lightcommissioning.

According to a first aspect, it is provided a lighting system comprisingat least one lighting device, a remote database, and at least acontroller. The at least one lighting device includes at least atransceiver coupled to a load, said transceiver comprising at least oneidentification information and at least one security information whereinsaid security information is used for securing the communication withthe transceiver. The remote database stores the identificationinformation and an associated identification information for eachlighting device. The at least a controller for managing the transceiver.The controller comprises a first interface for a first communicationwith the transceiver, and a second interface for a second communicationwith a database. The controller is adapted to retrieve theidentification information of the transceiver through the firstinterface. The controller is able to retrieve the associatedidentification information from the remote database through the secondinterface. Then, the controller can use the security information tosecure the first communication.

A controller is provided for managing a transceiver of a lightingdevice. The lighting device can be a street-lamp, a ceiling-lamp, or awall-switch for switching the ceiling-lamp, or a wall-dimmer for dimmingthe ceiling-lamp. Other loads are not to be excluded, in indoorapplications (for example office-lighting) and in outdoor applications(for example street-lighting and parking-lot-lighting). The controllercomprises a first interface for a first communication with thetransceiver, and a second interface for a second communication with adatabase. Usually, these first and second communications will becommunications according to different protocols, without having excludedthat the first and second communications are communications according tothe same protocol. The database is configured to store identificationinformation and security information. The identification information isconfigured to identify the transceiver or a network comprising thetransceiver. The transceiver is, in case of the network beingidentified, configured to form part of such a network.

A relatively small network may comprise the transceiver, possiblycoupled to one or more loads, and the controller. A relatively largenetwork may comprise several transceivers, each one possibly coupled toone or more loads, and the controller. The relatively large network mayfurther comprise a bridge, a gateway or a border router. In allsituations, the controller does not need to form part of the network allthe time. For example during installing the transceiver, a controllerhaving an installing function may form part of the network, andotherwise not. For example during commissioning the transceiver, acontroller having a commissioning function may form part of the network,and otherwise not. This is for instance the case when the controller isused for securely configuring a time-based dimming schedule of one ormore street-lights, with each street-light comprising an autonomousoperation. Other examples are not to be excluded. In case of therelatively small network, the identification information identifies thetransceiver. In case of the relatively large network, the identificationinformation identifies the transceiver or identifies the networkcomprising the several transceivers. The security information isconfigured to secure the first communication.

As a result, the controller has become capable of exchanging, via thesecond communication, the identification information and the securityinformation with the database. The identification information allows thetransceiver or the network to which the transceiver belongs to beidentified. The security information allows the first communication tobe secured. Such an improved security is a great technical advantage.

Preferably, the database is configured to store the identificationinformation and the security information in a linked way. Then, thesecurity information can be specific security information for specificidentification information.

An embodiment of the controller is defined, wherein the transceivercomprises a wireless transceiver and wherein the network comprises awireless network and wherein the first communication comprises a firstradio communication according to a first radio protocol, and/or whereinthe second communication comprises a second radio communicationaccording to a second radio protocol. Preferably, the transceiver is awireless transceiver, and/or the first communication is a first radiocommunication according to a first radio protocol, and/or the secondcommunication is a second radio communication according to a secondradio protocol. Usually, the first and second radio protocols will bedifferent radio protocols, without having excluded that the first andsecond radio protocols comprise the same radio protocol.

Preferably, to further improve a security, the second communication canbe configured to take place via a so-called secure link, such as forexample a https link, without having excluded other kinds of securelinks. The security of the second network can be also linked directly tothe network.

According to a preferred embodiment, the lighting system comprises aninstaller device for setting the identification information and thesecurity information in the transceiver or in the remote database. Theinstaller device is provided like the controller as defined above,wherein said managing comprises installing, and wherein the secondinterface is configured to exchange the identification information andthe security information with the database, and wherein the firstcommunication is secured via the security information or otherwise. Theinstaller can be used when the security information is not set in thelighting device in the factory. According to a second aspect, acontroller is provided for controlling at least one lighting deviceincluding at least a transceiver coupled to a load, said transceivercomprising at least one identification information and at least onesecurity information wherein said security information is used forsecuring the communication with the transceiver. The controllercomprises a first interface and a second interface. The first interfaceallows a first communication with the transceiver. The second interfaceallows a second communication with a remote database storing theidentification information and an associated identification informationfor the at least one lighting device. The controller is adapted toretrieve the identification information of the transceiver through thefirst interface. The controller is adapted to retrieve the associatedidentification information from the remote database through the secondinterface. The controller is adapted to use the associated securityinformation to secure the first communication.

The controller can be an installer device having an installing functionfor installing the transceiver (read: setting up/building a networkcomprising the transceiver, by for example grouping availabletransceivers, and/or by for example conditioning and/or configuring thetransceiver at a basic, relatively low level). The second interface ofthe controller may send the identification information and the securityinformation to the database, in case the controller has produced orreceived said identification information and said security informationbefore. The second interface of the controller may receive theidentification information and the security information from thedatabase, in case the database has produced or received saididentification information and said security information before. Thefirst communication can be secured via the security information as soonas the security information is available at the transceiver. Thereto,the controller can forward the security information to the transceivervia a trigger signal in parallel to the first communication. Then, thefirst communication can be secured via the security informationimmediately. An example of such a trigger signal is a laser pointersignal (that is pointed to a day-light sensor of the transceiver or of aload coupled to the transceiver and that originates from a laser pointeron/near the installer device) or an infrared signal (that is pointed toan infrared receiver of the transceiver or of a load coupled to thetransceiver and that originates from an infrared diode on/near theinstaller device), but other examples are not to be excluded. Or, thecontroller can forward the security information to the transceiver viathe first communication that is secured in a prior art way. Then, thefirst communication can be secured via the security information as soonas the security information has become available at the transceiver.

An embodiment of the installer device is defined, wherein the installerdevice is configured to produce at least one of the identificationinformation and the security information and to send said at least oneof the identification information and the security information to thedatabase, or wherein the installer device is configured to receive atleast one of the identification information and the security informationfrom the network or a unit and to send said at least one of theidentification information and the security information to the database,or wherein the installer device is configured to receive at least one ofthe identification information and the security information from thedatabase and to send said at least one of the identification informationand the security information to the transceiver or the network.According to a first option, the installer device produces at least oneof the identification information and the security information and sendssaid at least one of the identification information and the securityinformation via its second interface to the database. According to asecond option, the installer device receives at least one of theidentification information and the security information from the networksuch as the transceiver or another transceiver or from a unit such asfor example a memory stick and sends said at least one of theidentification information and the security information via its secondinterface to the database. According to a third option, the installerdevice receives at least one of the identification information and thesecurity information via its second interface from the database andsends said at least one of the identification information and thesecurity information via its first interface or via the trigger signalto the transceiver or the network.

An embodiment of the installer device is defined, wherein the installerdevice is configured to produce an address or wherein the installerdevice is configured to receive the address from the transceiver, whichaddress is configured to address the transceiver. An address to addressthe transceiver is not to be confused with the identificationinformation. Said address may for example be a relatively unique andrelatively constant address such as for example a media access controladdress and may for example be a relatively non-unique and relativelytemporary address, without having excluded other kinds of addresses.Preferably, the installer device is configured to send the address tothe database, for example to ease the communicating.

An embodiment of the installer device is defined, wherein the installerdevice is configured to install upon authorization from the database.Preferably, the database is configured to authorize the installing.

The controller can be a commissioner device, wherein said managingcomprises commissioning, and wherein the second interface is configuredto receive at least one of the identification information and thesecurity information from the database, and wherein the firstcommunication is secured via the security information. A commissionerdevice comprises a controller having a commissioning function forcommissioning the transceiver (for example conditioning and/orconfiguring the transceiver and/or a load coupled to the transceiver ata non-basic, relatively high level). The second interface can receive atleast one of the identification information and the security informationfrom the database, owing to the fact that, during installing, the atleast one of the identification information and the security informationhave been exchanged between the installer device and the database. Thefirst communication can be secured via the security information, owingto the fact that, during the installing of the transceiver, the securityinformation has been exchanged between the installer device and thetransceiver.

An embodiment of the commissioner device is defined, wherein thecommissioner device is configured to receive an order code for orderingthe at least one of the identification information and the securityinformation. The commissioner device receives an order code, such as forexample a code entered by a user via a man-machine-interface of thecommissioner device, or such as for example a code received from thetransceiver after the commissioner device has triggered the transceiver,or such as for example a code received from a beacon, without havingexcluded other kinds of codes. In response to a reception of the ordercode, the commissioner device orders the at least one of theidentification information and the security information. This way, theinstaller device and the commissioner device advantageously use the sameidentification information and the same security information stored inthe database. The installer device and the commissioner device may begiven the same authorization level or different authorization levels.Such an authorization level will be specific per network and will bedefined/controlled by the database.

An embodiment of the commissioner device is defined, wherein thecommissioner device is configured to produce an address or wherein thesecond interface is configured to receive the address from the database,which address is configured to address the transceiver. The address toaddress the transceiver may be the same as the one used by the installerdevice or may be a different one and is not to be confused with theidentification information. Again, said address may for example be arelatively unique and relatively constant address such as for example amedia access control address and may for example be a relativelynon-unique and relatively temporary address, without having excludedother kinds of addresses.

An embodiment of the commissioner device is defined, wherein thecommissioner device is configured to adapt a configuration of the loadand/or the network. Such a configuration may comprise a load-settingand/or a network-setting. As an example only, the configuration can bean autonomous built-in time-based dimming schedule (e.g. in astreet-light a light-output may be varied depending on a moment in time)or a configuration of an occupancy sensor or a day-light sensor of atransceiver or of a load coupled to the transceiver according to a spacetype (e.g. corridor, open office, conference room) or a definition of aresponse of the transceiver or of a load coupled to the transceiver toAutomatic Demand Response signals sent by power utilities (e.g. via anOpen Automatic Demand Response protocol) etc.

An embodiment of the commissioner device is defined, wherein thecommissioner device is configured to commission upon authorization fromthe database. Preferably, the database is configured to authorize thecommissioning. Further preferably, the database is configured to savecommissioning results to prevent a loss of these results.

According to a third aspect, a lighting device is provided said lightingdevice comprising a transceiver coupled to a load, said transceivercomprising at least one identification information and at least onesecurity information. The security information is used for securing thecommunication with the transceiver. The transceiver is adapted to sendthe identification information and adapted to set a secure communicationbased on the security information and configured to be managed by thecontroller as defined above.

According to a forth aspect, a method is provided for controllinglighting device comprising a transceiver coupled to a load, with acontroller device comprising a first interface for communicating withthe lighting device and a second interface for communicating with aremote database, wherein the transceiver comprises at least oneidentification information and at least one security information,wherein the remote data base stores the identification information andan associated identification information for said lighting device,wherein the method comprises the steps of:

-   -   sending identification information from the transceiver to the        controller through the first interface of the controller,    -   sending the associated security information from the remote        database to the controller through the second interface, and    -   securing the communication through the first interface with        associated security information

Embodiments of the method correspond with the embodiments of thecontroller, of the installer device and of the commissioning device.Preferentially, the security information and associated securityinformation are used for encrypting the communication between thecontroller and the lighting device.

An example of the installer device and of the commissioning device is asmart phone or a tablet, with either an installing app to realize theinstalling function or with a commissioning app to realize thecommissioning function. Such a smart phone or a tablet may be extendedwith a third interface, such as a laser pointer for sending a triggersignal to the transceiver, or such as a receiver for receiving theidentification information and the security information from thetransceiver (separately from the first communication, for example via aNear Field Communication possibility), or such as a receiver forreceiving the code from the transceiver (separately from the firstcommunication) or from the beacon, without having excluded other kindsof third interfaces. Such a smart phone or a tablet usually already hasgot a man-machine-interface and a Near Field Communication possibility.

A basic idea is that a controller for managing a transceiver should beable to do a first communication with the transceiver and a secondcommunication with a database, which database should storeidentification information for identifying the transceiver or a networkand security information for securing the first communication.

A problem to provide an improved controller has been solved. A furtheradvantage is that installing and commissioning can be done moreefficiently at reduced complexity and at reduced preparation time.

These and other aspects of the invention will be apparent from andelucidated with reference to the embodiments described hereinafter.

BRIEF DESCRIPTION OF THE DRAWINGS

In the drawings:

FIG. 1 shows a first embodiment of a controller and load devices, and

FIG. 2 shows a second embodiment of a controller and load devices.

DETAILED DESCRIPTION OF EMBODIMENTS

In the FIG. 1, a first embodiment of a controller and load devices isshown. The controller 1 comprises a first interface 11 for a firstcommunication via a link 20 (30) with a transceiver 21 (31) of a loaddevice 2 (3). The controller 1 comprises a second interface 12 for asecond communication via a link 40 with a database 4. In the load device2 (3), the transceiver 21 (31) is coupled to a load 22 (32), such as forexample a street-lamp, an integrated light-emitting-diode-luminaire, aceiling-lamp, a wall-switch for switching the ceiling-lamp and awall-dimmer for dimming the ceiling-lamp. In the controller 1, the firstand second interfaces 11, 12 are coupled to a processor/memory 13. Thedatabase 4 is configured to store identification information andsecurity information. The identification information is configured toidentify the transceiver 21 (31) or a network comprising the transceiver21 (31), and the security information is configured to secure the firstcommunication.

Preferably, the transceiver 21 (31) comprises a wireless transceiver andthe network comprises a wireless network, and the first communicationvia the link 20 (30) comprises a first radio communication according toa radio first protocol via a radio link, and/or the second communicationvia the link 40 comprises a second radio communication according to asecond radio protocol via a radio link.

In the FIG. 2, a second embodiment of a controller and load devices isshown. The second embodiment differs from the first embodiment in thatthe controller 1 further comprises a trigger signal transmitter 14coupled to the processor/memory 13, a memory reader 15 coupled to theprocessor/memory 13, and a man-machine-interface 16 coupled to theprocessor/memory 13. Further, the second embodiment differs from thefirst embodiment in that in the load device 2 (3) the transceiver 21(31) further comprises a trigger signal receiver 24 (34). Alternatively,the trigger signal receiver 24 (34) may be located outside thetransceiver 21 (31) and be coupled to the transceiver 21 (31) and/or mayform part of the load 22 (32) and be coupled to the transceiver 21 (31)and/or may form part of the load device 2 (3) and be coupled to thetransceiver 21 (31).

The controller 1 may for example form part of an installer device, inwhich case said managing comprises installing (read: setting up/buildinga network comprising the transceiver, by for example grouping availabletransceivers, and/or by for example conditioning and/or configuring thetransceiver at a basic, relatively low level). Such an installer deviceinstalls the transceiver 21. An example of such an installer device is asmart phone with an app having an installing function. Such an app showsfor example a restricted number of buttons on a touch screen of thesmart phone, like for example six buttons, preferably fewer, like fiveor four buttons. The trigger signal transmitter 14 may be realized via adata output of the smart phone, the memory reader 15 may be realized viaa data input of the smart phone, and the touch screen is an example ofthe man-machine-interface 16. Another example of such aman-machine-interface 16 is a Near Field Communication interface. Thesecond interface 12 is configured to exchange the identificationinformation and the security information with the database 4, and thefirst communication is secured via the security information orotherwise, as follows.

According to a first option, the installer device is configured toproduce at least one of the identification information and the securityinformation. Thereto, for example a button “start new room” on the touchscreen is pressed, and the trigger signal is transmitted to the loaddevice 2, for example by pointing a laser pointer (trigger signaltransmitter 14) to a light detector (trigger signal receiver 24). Thetrigger signal may comprise said at least one of the identificationinformation and the security information, or said at least one of theidentification information and the security information may be exchangedvia the first communication following said trigger signal. In this case,the first communication may at first be secured in a prior art way,until said security information has reached the load device 2, from thatmoment on the first communication can be secured via said securityinformation. The installer device may further be configured to send saidat least one of the identification information and the securityinformation to the database 4, such that the information can be usedagain at a later stage during commissioning. For a nextluminaire/switch/dimmer in the same room, a button “add luminaire” or“add switch/dimmer” on the touch screen can be pressed etc.

According to a second option, the installer device is configured toreceive at least one of the identification information and the securityinformation from the network (the load device 2) or a unit (the memory,like a memory stick, to be read by the memory reader 15). Thereto, forexample a button “start new room” on the touch screen is pressed, andthe trigger signal is transmitted to the load device 2, for example bypointing a laser pointer (trigger signal transmitter 14) to a lightdetector (trigger signal receiver 24). The trigger signal may comprisesaid at least one of the identification information and the securityinformation, when received from the unit, or said at least one of theidentification information and the security information may be exchangedvia the first communication following said trigger signal, when to bereceived from the network. In that case, the first communication may atfirst be secured in a prior art way, until said security information hasreached the load device 2, from that moment on the first communicationcan be secured via said security information. Alternatively, said atleast one of the identification information and the security informationmay be sent from the network to the installer device via anetwork-sender and a device-receiver not shown. The installer device isfurther configured to send said at least one of the identificationinformation and the security information to the database 4, such thatthe information can be used again at a later stage during commissioning.For a next luminaire/switch/dimmer in the same room, a button “addluminaire” or “add switch/dimmer” on the touch screen can be pressedetc.

According to a third option, the installer device is configured toreceive at least one of the identification information and the securityinformation from the database 4 and to send said at least one of theidentification information and the security information to thetransceiver 21 or the network. Then, for example a button “start newroom” on the touch screen is pressed, and the trigger signal istransmitted to the load device 2, for example by pointing a laserpointer (trigger signal transmitter 14) to a light detector (triggersignal receiver 24). The trigger signal may comprise said at least oneof the identification information and the security information, or saidat least one of the identification information and the securityinformation may be exchanged via the first communication following saidtrigger signal. In that case, the first communication may at first besecured in a prior art way, until said security information has reachedthe load device 2, from that moment on the first communication can besecured via said security information. For a nextluminaire/switch/dimmer in the same room, a button “add luminaire” or“add switch/dimmer” on the touch screen can be pressed etc.

Combinations of parts of said three options are possible too and not tobe excluded. A fourth button “close room” may be pressed on the touchscreen to finish the installing. For a load device 2 in the form of astreet-lamp, other kinds of buttons may be introduced, such as setting adimming-timing-schedule of a luminaire or defining a maximumlight-output of a luminaire etc.

Preferably, the installer device may be configured to produce an addressor the installer device may be configured to receive the address fromthe transceiver 21, via the first communication or via a barcode and abarcode reader or via a network-sender and a device-receiver not shown.Said address is configured to address the transceiver 21, and may forexample be a relatively unique and relatively constant address such asfor example a media access control address and may for example be arelatively non-unique and relatively temporary address, without havingexcluded other kinds of addresses. The installer device may beconfigured to send the address to the database 4, for easing thecommunicating. The installer device may further be configured to installupon authorization from the database 4, as further discussed below.

The installer device may be configured to send the network parameters ofthe network comprising the transceiver 21 to the database 4 as soon asthe installer device has become part of this network (has entered thisnetwork), to prevent that in case the installer device has been removedfrom this network (has left this network) incorrectly, no networkparameters are available in the database 4 for this network. Preferably,the database 4 orders/requests the end of the installing at thecontroller 1, and confirms the end of the installing to the controller1.

The controller 1 may for example also form part of a commissionerdevice, in which case said managing comprises commissioning (for exampleconditioning and/or configuring the transceiver and/or a load coupled tothe transceiver at a non-basic, relatively high level). Such acommissioner device commissions the transceiver 21. An example of such acommissioner device is a smart phone with an app having a commissioningfunction. Such an app shows for example a number of buttons on a touchscreen of the smart phone. In a commissioner repair mode, these buttonsmay correspond with the buttons on the installer device. In acommissioner normal mode, the buttons will be different from the buttonson the installer device. Preferably, the number will be again arestricted number, like for example twenty buttons, preferably fewer,like fifteen or ten buttons. The trigger signal transmitter 14 may againbe realized via a data output of the smart phone, the memory reader 15may again be realized via a data input of the smart phone, and the touchscreen is again an example of the man-machine-interface 16. The secondinterface 12 is configured to receive at least one of the identificationinformation and the security information from the database 4, and thefirst communication is secured via the security information, as follows.

According to a first option, the commissioner device is configured toreceive the identification information from the unit (the memory, like amemory stick, to be read by the memory reader 15). Thereto, for examplea button “new commissioning” on the touch screen is pressed, and theunit is read out, or the unit is read out automatically after insertion.At the hand of the identification information, the commissioner devicecan retrieve the security information from the database 4. With theidentification information and the security information being availableat the commissioner device, it can communicate with the transceiver 21and perform the commissioning.

According to a second option, the commissioner device is configured toreceive an order code for ordering the at least one of theidentification information and the security information. Such an ordercode may for example be a code entered via the man-machine-interface 16of the commissioner device (e.g. a room number or a positioningcoordinate of a load for example in the form of a street-light pole), ormay for example be a code received from the transceiver 21 after thecommissioner device has triggered the transceiver, or may for example bea code received from a beacon, or a code presented via a barcode andread via a barcode-reader, without having excluded other kinds of codes.In response to a reception of the order code, the commissioner deviceorders the at least one of the identification information and thesecurity information at the database 4.

After the identification information and the security information havebecome available at the commissioner device, the commissioner device maystart to search for nodes in the already existing (installed) networketc. And, just like the installer device, the commissioner device may beconfigured to send the network parameters of the network comprising thetransceiver 21 to the database 4 as soon as the commissioner device hasbecome part of this network (has entered this network), to prevent thatin case the commissioner device has been removed from this network (hasleft this network) incorrectly, no network parameters or wrong networkparameters are available in the database 4 for this network. Preferably,the database 4 orders/requests the end of the commissioning at thecontroller 1, and confirms the end of the commissioning to thecontroller 1.

Preferably, the commissioner device may be configured to produce anaddress or the commissioner device may be configured to receive theaddress from the database 4, which address is configured to address thetransceiver 21. Said address is configured to address the transceiver21, and may for example be a relatively unique and relatively constantaddress such as for example a media access control address and may forexample be a relatively non-unique and relatively temporary address,without having excluded other kinds of addresses. The address will easethe communicating, and different addresses may allow differentcommunicatings in parallel.

Preferably, the commissioner device may be configured to adapt aconfiguration of the load 22 and/or the network comprising thetransceiver 21. Such a configuration may comprise a load-setting and/ora network-setting. An example of such a load-setting is a lightingcontrol logic that defines for example responses to occupancy triggersand wall-switch triggers and/or that defines for example lighting scenesinvolving multiple luminaires like e.g. a presentation mode in aconference room whereby luminaires next to a screen are switched-off andthe other luminaires are dimmed. Further, the commissioner device may beconfigured to commission upon authorization from the database 4, asdiscussed further below. Further preferably, the database is configuredto save commissioning results to prevent a loss of these results in casethe commissioning has not been finished properly.

Compared to a combined installer/commissioner device, the separateinstaller device and the separate commissioner device allow each deviceto become more user-friendly and to become easier to operate, and alloweach device to be given the same authorization level or differentauthorization levels. Such an authorization level will be specific pernetwork and will be defined/controlled by the database 4. Further, owingto the fact that the database 4 is involved, a use of a multitude ofdevices can be allowed or forbidden at the same time, and thecommissioner device can join the network much more easier.

An audio jack of a smart phone comprises a combination of a data inputand a data output that could be coupled to a dongle with a laser pointer(or any other kind of trigger signal transmitter such as for example aninfrared transmitter or a normal light transmitter etc.) and a Zigbee™radio (or any other kind of first interface 11, with the secondinterface 12 being realized through the smart phone's telephone/internetfunction). The database 4 may further store the (kind of) loads of theload devices, and the load-settings and the network-settings, and theauthorization levels. The installer device and the commissioner devicemay communicate with the database 4 via secure links like https links.The secured first communication between controller 1 and transceiver 21,31 has become much more secure compared to an intrinsic security of forexample a Zigbee™ network that is generally considered to be lesssecure. The database 4 may further produce authorization codes thatdefine the authorization levels. The transceivers 21, 31 may beconfigured to verify these authorization codes. Other examples are6LoWPAN transceivers and Bluetooth™ transceivers, without havingexcluded further transceivers.

So, more generally, the database 4 may further store authorizationinformation that for example defines an authorization level for aninstaller device and/or for a commissioner device, and/or that forexample authorizes the installing and/or the commissioning, and thedatabase 4 may further store privilege information, that for exampledefines a privilege for an installer device and/or for a commissionerdevice. The authorization information for example allows thecommissioner device to change a certain light setting of a luminaire.For example one authorization level allows to modify a maximum currentof a luminaire driver, while another lower authorization level allowsonly to select to trim an upper end of a dimming range of the luminaire,so that for example a 100% light output of the luminaire is defined ate.g. 80% of a maximum light output rating of the luminaire. This is donefor instance to prevent over-lighting if the spacing of officeluminaires is less than the office luminaire regular grid spacing. Asanother example, an authorization level of an installer device candepend upon the person who uses it. This way, a first installer personcan install first kinds of environments, where a second installer personcan install second kinds of environments, with the different kinds ofenvironments being different in size or in location or in complexityetc. It is also possible that a same installer person has differentaccess rights at different moments in time etc. (e.g. the installerperson gets a time restricted access to perform a certain fix etc.) orthat a same installer person must do the installing in a certain orderetc. (e.g. the installer person gets a first access to do a firstinstallment and, after being finished, gets an access to do a secondinstallment etc.).

From an easy-of-market-adoption point of view and/or from an ease-of-usepoint of view: The installer device allows the grouping of transceiversto be done by “moderately-trained” installers, and the commissionerdevice allows the “advanced” commissioning portions to be done by“experts”. During installment, the installer forms part of the network,upon completion of the grouping, network information is transferred fromthe installer device to the database (a central repository such as acloud-based or on-premise server/device) and the installer device isremoved from the network. The commissioner device retrieves the networkinformation from the database and joins the already set up networkwithout a presence of a bridge/gateway etc. being required or without apresence of the installer device being required.

In many prior art systems, during the commissioning, the installerdevice and the commissioner device need to be used simultaneously and ata relatively same location, which is a disadvantage. According to thesolution in the FIGS. 1 and 2, a multitude of installer devices and amultitude of commissioner devices can be used at the same time, which isa great technical advantage.

When a “close room” button is pressed, the installer device mayautomatically transfer all relevant network information and a list ofthe transceivers added to this network and/or the loads coupled to thesetransceivers to the database.

A dongle of the commissioner device can make itself “factory new” andcan join the already existing network, which was previously set up bythe installer device. But, alternatively, the commissioner device couldmonitor the available networks (eave dropping) to find out which networkit is. A list of the transceivers could be stored in the database or inthe relevant transceivers that in that case should remember whichtransceivers are in the room. This could be programmed via the installerdevice at its “close room” operation.

Optionally, the commissioner device can be used in a “repair mode” toalso make small corrections/modifications to the grouping of thetransceivers as earlier done by the installer device, without the needto re-do all the grouping from scratch as required by prior art. In thisrepair mode, the commissioner device has the similar buttons like theinstaller device. However the commissioner device does not need to havea button to start setting up/building a new network, re-installing isdone via the same or another installer device.

Another important use case for intelligent loads is re-visiting astandalone wireless load or a connect-ready network with a maintenancetool or a commissioning tool. There may be a need for a secure joiningmethod for an additional controller other than the installer devicewhich originally set up the network. Such an additional controller (e.g.a replacement installer device or a commissioner device) is to be addedto an already existing network.

For a connect-ready network (comprising wireless luminaires without thepresence of a bridge) or an individual wireless luminaire (such as asingle configurable wireless luminaire), usually onlyresource-constrained components (relatively low digital processingpower) are available to facilitate an easy-to-use and secure networkjoining of installer/commissioner devices. Hence, building a securenetwork joining mechanism for a connect-ready network (or an individualwireless luminaire) is more challenging than a secure network joiningmechanism in a system where at least one part of the system isnon-resource-constrained (e.g. a bridge).

In present prior art, the joining of a replacement device to an existingnetwork is done in a non-secure fashion. For example, the existingZigbee™ network of transceivers is open for any controller to join. Somesystems offer an option of a PIN code to restrict access. However, thePIN code can be lost and provides only limited security.

The installer device may interact with factory-new virgin devices andmay set up a network. The commissioner device may trigger a load toidentify its ID (e.g. with a laser pointer pattern), or an indoorlocation service may be available (e.g. Low Power Wide Area Networks oriBeacons read out by smart phone-based devices).

The joining of the commissioner device to the network may be as follows:The commissioner device receives from the database the identificationinformation (an extended PAN ID, Personal Area Network Identifier, toidentify the network in a unique fashion) and the security information(a network key) and may from the database optionally also receiveprivilege information defining the privileges of the commissioner devicewhen it comes to lighting controls and modification of the luminaire.The identification information and the security information alone arealready sufficient for the commissioner device to communicate with anypart of the network. Then the commissioner device may search for aparent node in the already existing network: The commissioner device maysend beacon requests to find out which wireless nodes of the alreadyexisting network are within the proximity of the commissioner device,the transceivers respond to the beacon requests and the commissionerdevice receives their beacons. The commissioner device selects out ofthe responding transceivers those transceivers which are matchingidentification information (the extended PAN ID). The commissioningdevice may also just eave drop on the network's regular radiocommunication, from which it can be deduced which network it is. Thenthe commissioner device performs a network rejoin using the securityinformation (the network key). The network rejoin may be encrypted withthe security information such that there is proof that a sister devicehas been in the network before. The commissioner device selects a randomnetwork short address during sending out the network rejoin. The randomnetwork short address enables that multiple commissioner and installerdevices can operate in parallel (e.g. at different times).

The solution shown in the FIGS. 1 and 2 allows the use of standardnetworking commands and is for example fully Zigbee™ 3.0 compatible.

Initial securing might be done through two independent https connectionsfrom the installer device and the commissioner device to the databasewithout a need for shared secrets as is done in prior art systems. Theinstaller device and the commissioner device are only allowed access torelevant parts of the database. Each network has its own local secret,that results in a limited localized damage if one of these secrets getscompromised.

The intrinsic network security of Zigbee™ involves global secret keyswhich are unfortunately known to any company making Zigbee™ products.These secrets are hence prone to leak and once leaked they affect allZigbee™ devices of an interoperable profile (such as Zigbee™ Light-Linkor Zigbee™ Home Automation). For example, especially for commissionerdevices that can adjust parameters of luminaires, a highly securefashion is absolutely necessary.

The solution shown in the FIGS. 1 and 2 also allows the joining of asmart phone to a connect-ready network of Bluetooth™ LED lamps and thejoining of a smart phone to a non-IP connected bridge; for an IPconnected bridge, many other (prior art) mechanisms are available.

Another embodiment may be an outdoor luminaire with a Bluetooth™ LowEnergy radio unit (for luminaire configuration). Such an outdoor couldbe a part of a public network comprising a very large number ofluminaires that need to be easily accessed by a large number of portablecommissioning device and preventing any non-authorized access. EveryBluetooth™ Low Energy radio unit has its own private secret that is alsoknown in a central data storage (from the time of manufacture of theluminaire). At the moment that the commissioning device connects withthe luminaire, it retrieves the private secret from the database. Byusing a device-specific-key, it is not a problem if thedevice-specific-key is leaked as it just affects that one luminaire (andnot all the luminaires as in case with a leaked global secret).

As an example, the device specific key could be a master key that isknown by the luminaire and the central storage server. For simplifyingthe access the controller 1 used as commissioning device could be asimple smartphone with an application for controlling the luminairewherein the luminaire could be controlled only through an encryptedcommunication using the Bluetooth communication. An example ofcommunication can be as follow:

-   -   A first communication can be established between the smartphone        and the transceiver of the luminaire using the Bluetooth        communication. During this first communication the transceiver        of the luminaire only transmits an identifier that could be a        MAC address, a network address, a serial number, or any unique        identifier that can clearly identify the luminaire in the        lighting network. Preferentially, the identifier is sent        together with a random number that is specific to the        communication session.    -   Then the smartphone can contact a remote server through the        phone network either using either the Short Message Service, or        an internet access or any other channel available through a        public communication network that enables an authentication of        the smartphone. The Smartphone send the identifier to the remote        server. The random number is preferentially sent together with        the identifier.    -   The remote server can identify the smartphone to be authorized        or not for controlling a luminaire and in particular the        luminaire corresponding to identifier. If the smartphone is        authorized then the server retrieve from a database a secret        corresponding to the private secret of the luminaire for then        providing a session key to the smartphone. Preferentially the        session key is derived from both the secret and the random        number.    -   The smartphone can then communicate with the luminaire using the        session key for encrypting and decrypting the messages exchanged        with the luminaire. The session key is then deleted after the        end of the communication.

With such a solution it is difficult to intercept the communicationbetween the luminaire and the smartphone. If an authorized smartphone isstolen, it is possible to revoke it at the remote server level only.Such a system can be more or less robust depending of the key used. Asindicated, the session key can be based on random number but could bealso based on the date or an access counter that do not need theexchange of an information.

Several implementation are possible, the master key can be a 128 bitskey can be completed with the 128 bits random number forming a uniqueand temporary 256 bits number that could be transformed into a 128 bitssession key using a Hash function. Then the 128 bits session key canencrypt or decrypt message using an AES-128 algorithm.

It is also possible to use an asymmetric key system using Public KeyInfrastructure, in that case the remote data base and the luminaire willnot store the same key but complementary keys. The security informationand the associated security information could be other kind ofcomplementary information for example for enabling a challenge-responsebetween the transceiver 21, 31 and the controller 1. Any kind of pair ofsecurity information derived from one to each other can be used.

The securing of the access to the database can be made by the network orby a specific authentication of the commissioning device. The use of SMSenables to use the IMSI or the phone number that is unique in the mobilenetwork for authenticating the smartphone to be an authorized one ornot. Of course it could be also possible to use a more conventionalauthentication with login and password if the connection is made throughinternet. Many method can be used.

Summarizing, controllers 1 for managing transceivers 21, 31 comprisefirst interfaces 11 for first communications with the transceivers 21,31 and second interfaces for second communications with databases 4 thatstore identification information for identifying the transceivers 21, 31or networks comprising the transceivers 21, 31 and that store securityinformation for securing the first communications. Via the secondcommunications, the identification information and the securityinformation can be exchanged. Installer devices comprise the controllers1 such as a smart phone with an installing app for installing thetransceivers 21, 31, and commissioner devices comprise the controllers 1such as a smart phone with a commissioning app for commissioning thetransceivers 21, 31. The installer devices and the commissioner devicesmay be given the same authorization level or different authorizationlevels. Such an authorization level will be specific per network andwill be defined/controlled by the database 4.

While the invention has been illustrated and described in detail in thedrawings and foregoing description, such illustration and descriptionare to be considered illustrative or exemplary and not restrictive; theinvention is not limited to the disclosed embodiments. Other variationsto the disclosed embodiments can be understood and effected by thoseskilled in the art in practicing the claimed invention, from a study ofthe drawings, the disclosure, and the appended claims. In the claims,the word “comprising” does not exclude other elements or steps, and theindefinite article “a” or “an” does not exclude a plurality. The merefact that certain measures are recited in mutually different dependentclaims does not indicate that a combination of these measures cannot beused to advantage. Any reference signs in the claims should not beconstrued as limiting the scope.

1. A lighting system comprising: at least one lighting device includingat least a transceiver coupled to a load, said transceiver comprising atleast one identification information and at least one securityinformation wherein said security information is used for securing thecommunication with the transceiver; a remote database adapted to storethe identification information and an associated security informationfor each lighting device; at least a controller for managing thetransceiver wherein the controller comprises a first interface for afirst communication with the transceiver, and a second interface for asecond communication with the remote database, wherein the controller isadapted to retrieve the identification information of the transceiverthrough the first interface and the transceiver is adapted to send theidentification information to the controller, wherein the controller isadapted to retrieve the associated security information from the remotedatabase through the second interface, and wherein the controller isadapted to use the associated security information to secure the firstcommunication and the transceiver is adapted to set a securecommunication based on the security information.
 2. The lighting systemas defined in claim 1, wherein the transceiver comprises a wirelesstransceiver and wherein the first communication comprises a first radiocommunication according to a first radio protocol, and wherein thesecond communication comprises a second radio communication according toa second radio protocol.
 3. The lighting system as defined in claim 1,wherein said lighting system comprises an installer for setting theidentification information and the security information in thetransceiver or in the remote database.
 4. The lighting system as definedin claim 3, wherein the installer device is configured to provide atleast one of the identification information and the associated securityinformation and to send said at least one of the identificationinformation and the associated security information to the remotedatabase, or wherein the installer device is configured to receive atleast one of the identification information and the associated securityinformation from a network or a unit and to send said at least one ofthe identification information and the associated security informationto the remote database, or wherein the installer device is configured toreceive at least one of the identification information and theassociated security information from the remote database and to sendsaid at least one of the identification information and the securityinformation to the transceiver or a network.
 5. The lighting system asdefined in claim 1, wherein the identification information is comprisedin the list of: a MAC address, a network address, a serial number, orany unique identifier.
 6. The lighting system as defined in claim 1,wherein the security information and the associated security informationare a same information comprised in the list of: a PIN code, a keyword,a symmetric encryption key, a master key.
 7. The lighting system asdefined in claim 1, wherein the security information and the associatedsecurity information are complementary information comprised in the listof: PKI infrastructure key pair, challenge-response information, or anyderived information from one to the other.
 8. The lighting system asdefined in claim 1, wherein the controller comprises authenticationinformation for accessing the remote database.
 9. A controller forcontrolling at least one lighting device including at least atransceiver coupled to a load, said transceiver comprising at least oneidentification information and at least one security information whereinsaid security information is used for securing the communication withthe transceiver, wherein said controller comprises a first interface fora first communication with the transceiver, and a second interface for asecond communication with a remote database storing the identificationinformation and an associated security information for the at least onelighting device, wherein the controller is adapted to retrieve theidentification information of the transceiver through the firstinterface, wherein the controller is adapted to retrieve the associatedsecurity information from the remote database through the secondinterface, and wherein the controller is adapted to use the associatedsecurity information to secure the first communication.
 10. A lightingdevice including at least a transceiver coupled to a load, saidtransceiver comprising at least one identification information and atleast one security information wherein said security information is usedfor securing the communication with the transceiver, wherein thetransceiver is adapted to send the identification information andadapted to set a secure communication based on the security information.11. A method for controlling lighting device comprising a transceivercoupled to a load, with a controller device comprising a first interfacefor communicating with the lighting device and a second interface forcommunicating with a remote database, wherein the transceiver comprisesat least one identification information and at least one securityinformation, wherein the remote data base stores the identificationinformation and an associated security information for said lightingdevice, wherein the method comprises the steps of: sendingidentification information from the transceiver to the controllerthrough the first interface of the controller, sending the associatedsecurity information from the remote database to the controller throughthe second interface, and securing the communication through the firstinterface with the associated security information and the securityinformation.
 12. The method of claim 11, wherein the sending of theassociated security information is made after a sending of theidentification information from the controller to the remote database.13. The method of claim 11, wherein the sending of associated securityinformation is made after a sending of the identification informationtogether with a random number from the controller to the remotedatabase.
 14. The method of claim 13, wherein the at least one securityinformation is a master key and wherein the associated securityinformation is a key derived from the master key and the random number.15. The method of claim 11 wherein the security information andassociated security information are a same key used for encrypting thecommunication between the controller and the lighting device.